First I wanted to ask if you could remove the direct link to the pirate site. I know the feeling is that anyone can find where to get these things but it just feels unnecessary to make it even easer.

Beyond that Great Article! Way back all people could do is screen scrape textures or eyeball prims to copy your work. Now they can roll on in and "point and click" perfect copy most anything. The Lindens, content creators, and consumers have to understand this is an escalative war we are in and we all need to step up.

Personally I'm getting tired of the "needs" of opensource and "New avatar rights" being used as reasons to not take action. Restricting unverified avatars to adult content hasn't "killed" SL any more than limiting their ability to operate a "business" will. And Yes, when that hole is closed they will find other ways around it, but let them add Identity theft and stolen CC numbers to their list of crimes and see if the cops showing up makes it a bit more real than a DMCA takedown notice.

Gwyn - thanks for writing this up. Sorry I've been slow to respond with more followup from our chats, but I've been kept busy. :)

One thing I did want to remind you and mention for your readers is that a key reason I think this course of action has a chance at working is because it goes back to the idea of using tried-and-true techniques from web surfing.

Should you accept an .exe or an email from someone you don't know? No, it could be spam, or worse - a virus or spyware. But people do anyway, because the whole point is to make the Internet accessible to everyone, including technical novices. So anti-virus software, anti-spam filters, Operating System network security, and features in browsers have been developed to further help keep users safer on the 'net. In the same way that someone ought to have some establishment of trust - you visit their website and they have a signed certificate, you need to confirm someone Facebook, your email warns you before you open an attachment, etc - these solutions you present work in the same mindset.

And look at the use case. How many brand new users actually need to transfer items right away? Certainly they'll want to accept them, buy stuff, get freebies, etc, but give them away? If I'm a new user and I'm told, "Sorry, you can't give something to someone else until you confirm your account", that would seem on par with registering for eBay as a real seller, etc.

As for L$ transfer, it's pretty common that people already in SL may bring in a friend and give them L$ to get them started. I don't see how restricting this helps. However, simply warning the user has the effect of, "Are you really sure you want to give this person money? They don't have an established reputation."

I'd like to hear feedback from other folks on any holes in these suggestions and any improvements to the idea.

You're right, I should have re-visited our conversation to remember to put it all in! I forgot about the bit "this is how the Web/Internet works in terms of trust". Of course people reject spam emails, or mails with attachments from people they don't know, and specially people with obviously fake email addresses. But that took some time, too — they had to learn "not to trust strangers". So obviously this should be "replicated" in SL as well...

I'm quite interested in hearing about the flaws of the idea, too!

I'm deeply unconvinced that limiting unverified accounts this way would work in an effective way.

I'm also inclined to believe that Linden Lab is not going to do that, and that they won't do it for the right reason. Time will tell.

Mm yes, Opensource, I'd love to hear your reasons why it wouldn't be effective; if you're "deeply unconvinced" I'm sure you have a reason why you're not convinced, and I, for one, would love to hear it! Namely, what would pirates do to subvert a system as described above? How would they continue to distribute and disseminate stolen content and sell it if they cannot rely on discardable alts? Would they massively switch to validated avatars with stolen credit card information? (If so, the problem would quickly solve itself as the RL police would catch them) Or would they use something that would still allow them to distribute and disseminate stolen content that we're not aware of?

I'm also curious about the "right reason" :) What is the right reason?...

He's likely a pirate himself. It would quite obviously throw a huge monkey wrench into the operations of anyone pirating for profit.

I basically just want to say thank you for not blaming everything on LL and for recognising the technical impossibility of preventing content copying in SL. People like to use the web page analogy (to steal HTML or images, just save to disk) for copybot, but this confuses people sometimes, or doesn't equate to "impossible to prevent" in everyone's mind since what goes on under the hood of a computer is a mystery to many. These days I tend to liken it to a broadcast radio station trying to prevent people from recording songs with a tape recorder. It's a theoretical impossibility.

Turning off inventory transfer for unvalidated avatars is an interesting idea. Unfortunately, this would prevent unverified accounts from opening a store, sharing snapshots, sharing freebies among new users, and collaborating on build projects. On the other hand, it would practically eliminate all organised content theft and some forms of griefing. Maybe you're on to something, but this needs a ton of careful thought and analysis. Remember that (for the most part) all oldbies like us start out as confused newbies checking this thing out because it's free. If we give them a hostile vibe, or send the message that they aren't fully trusted users, we're going to lose a lot of potentially talented Residents.

Furthermore, I know some long-time, completely legitimate residents still without payment info on file. They are fine with it that way, the same way that a WoW or EVE or whatever player is happy with the in-game money in those worlds. If they don't have the L$ to buy something, then they don't buy it, and wait until they can earn (or, unfortunately, beg) more. Please keep in mind that those of us who blog or twitter or otherwise write about SL aren't the majority. Not everyone buys and sells L$, not everyone makes content, and not everyone keeps track of changes proposed by LL or whatever the current furore is over content theft, age verification, lawsuits, and whatnot. To a significant portion of residents, SL is just a free game they dick around with, to flirt with people, have amusing chats with anonymous strangers, or to support friends or loved ones who are into it. We have to think very carefully before disenfranchising all these people. (I don't have numbers here, but I suspect they may be the majority.)

Most importantly! Let's not forget; I have several alts and I use them to build or script and not be disturbed. If I have to verify these in order to have them transfer objects to my main accont: ugh.

SL is a social forum. Any significant changes in the rules governing interactions are changes in the entire social structure. They must not be undertaken lightly.

At this stage, I would say that it all comes down to what's more important: allowing the dissemination of pirated content or allowing unverified alts to do basically everything they wish (piracy, griefing, etc.).

There is one old saying in my country that goes, "the just pay for the sinners", which might be true. I remember similar arguments having been raised when LL removed the rating system (useful for social integration, but quickly gamed and thus dropped); the list of friends displayed on your profile (also something every other social tool allows); and finally, removing free technical support from non-Premium accounts. Every time people started abusing a certain feature, LL dropped it.

Well... your arguments are all very good against allowing alts to transfer content. Serious collaborative building would be limited for the ones not wishing to validate their accounts. Maybe Linden Lab could introduce something popular on most OpenSim grids and on Blue Mars: you'd have a "master account", different from your avatar logins, and could tie your alts to it. Validate the master account, and all avatars get validated as well. That would make things simple.

Was it really necessary to misuse the word "autistic" in that manner? There are many people in SL who are on the Autism Spectrum, and a number of support groups. You use it like we used to use the word "retarded". Couldn't you just say "unaware of" or "uncaring of/about" rather than using autistic in such a, to borrow your own word, "misguided" way? This is really very offensive.

My apologies, you're so right — I have a terrible limitation, which is having learned to write before the expression "political correctness" became popular. This means I easily fall back to early phrase constructions that are now considered very offensive; "autism", before Hans Asperger brought this term into medical science, was just a word describing "an abnormal absorption with the self", and it was that sense I had in mind, not any clinical condition, and I definitely didn't mean "retarded", which should have been clear from context. We would say these days "compulsively looking at one's own navel" to avoid the confusion and not offend anyone's sensibilities.

But this is not an excuse for not being more careful, I should have avoided that. There was definitely no intention in comparing Linden Lab, or any of their employees, with any person or group of persons suffering from a psychological condition. I'm sorry for that.

Interestingly, I got more personal messages about my lack of political correctness on that sentence than on the overall article... which shows how just a single misplaced word can destroy a whole argument.

Perhaps "narcissistic" would be the better term.

Yes, you're right, Melissa. That would indeed be a better term and definitely not so offensive for some.

Hi Gwyneth

Excellent post, and a well considered argument.

This kind of theft hurts us all, driving out the real creative types into other realms, so getting something done about it should be a high priority.

It's a new take on an old problem, and using the kind of "we can't stop them copying but let's get rid of the incentive" mindset looks like the best way of dealing with it.

I like the idea of forcing unverified accounts to be unable to sell items, but wonder if it's a bit too restrictive. It might be difficult (as you mentioned) for some nationalities to become verified, which effectively creates a 3 class system - those who can and do, those who can but don't want to, and those who want to but can't.

Perhaps in addition to the measures you mention is to look at other methods of verification. Perhaps allow unverified avatars to have a "sponsor" av - who would effectively become a kind of "verifying authority" - without the need for the current forms of verification that some people struggle with.

The sponsor av would need to be fully verified of course, and would be held accountable for any misbehaviour from the av they sponsor - plus you could limit the number of avatars anyone could sponsor to keep the risk of a pirate attempting to legitimise his/her alts down to a low number.

This would then allow people in countries where verification is not possible to continue to function as "full" members of SL society, provided they were able to convince a verified av to sponsor them.

That's true. And it's a problem that Linden Lab never managed to deal with. They simply expect that residents on countries with no access to PayPal or a credit card use an alternative currency exchange that offer different of payment for those countries. Since these are not affiliated with LL, it would mean they wouldn't provide validation.

I have no idea on how LL can deal with that except by offering more ways of validation. A curious idea, used by World of Warcraft, is to distribute small tokens, available on shops, which you would buy for a very small fee, but would have to show some valid ID (valid for your country, that is) to purchase them. These tokens, once bought, would give you the exact amount of L$ at the current exchange rate. The problem is that while Blizzard is a world-wide multinational shipping their products everywhere, LL is not, so these cards wouldn't be universally available, either.

The idea of the "sponsored avatar" was also suggested by Hiro Pendragon in our chats. As you might know, avatars can be registered via the Registration API, and this always requires a special avatar to allow others to be registered through them — Linden Lab keeps track on who is registering other avatars. A slight change in ToS would allow these third-party RegAPI portals to be responsible for their users, and thus allow them to create validated avatars if they followed simple rules. It would be left for each RegAPI portal to ensure they create their own methods to deal with validation; typical uses, like companies bringing their employees or partners in-world, or universities bringing teachers and students, would be quite easy to deal with. It's a very good idea, and one not requiring thorough implementation on LL's part, just on the RegAPI portal providers.

WoW's time cards aren't used as validation, Gwyn. You can buy them with cash. They just give you game time. And even if SL did use them that way, I'm not sure how it would help. Sure some game-shop merchant saw your ID, but how would that translate into Linden Lab knowing who you are?

I'm sure my communication skills are failing me :) Twice in so many days, gosh...

I didn't mean that WoW cards are used for validation; I was suggesting that using those cards, and requesting that people show some form of local ID to the shop owner when buying them, would be a form of validation. This would obviously mean that LL would have to trust shop owners, just like they trust, say, PayPal, a credit card gateway, or Aristotle.

OK, I still don't get it. Just dense I guess.

How does showing shop owners your ID help? Everyone has an ID -- even pirates. Unless the real-world ID information gets communicated back to Linden Lab, or Linden Lab is able to publish some sort of blacklist, can't pirates just keep creating new accounts anyway?

I definitely need some coffee — it's my fault, mci, not yours :)

Imagine a library card. You fill it with your personal data and it gets validated by the shop attendant by checking your ID. Then the shop attendant can either register on your behalf, or, even better, simply give you an unique code (say, an UUID!), which is tied to the card (it might even be printed on the back of it or something similarly simple, with those metallic covers you can rub off to reveal it). The card costs, say, US$5, of which the shop gets a percentage.

Now there are two alternatives. The first is that the shop attendant actually has a computer and manages the registration on your behalf. He puts the code in and you'll get a password sent by email when you get back home; at the same time, you'll get the equivalent of the US$5 in L$ for you to start with. Later the shop can send the filled-out cards to LL and receive their commission.

The second alternative is that LL keeps track of all batches of cards and knows which shop they come from (e.g. having a mechanism saying which unique numbers were sent to which shops); so, when you register at home with the code you've got, LL also knows where the validation has come from. This is less secure (the shop might lose the card, for instance; they wouldn't get any commission, sure, but they would have given someone a valid registration code that is now untraceable to a real ID) but would probably work better on shops or kiosks without a computer.

Both methods are, however, very cumbersome. They require a lot of logistics to work: printing cards, tracking numbers, dealing with distribution, dealing with commissions, etc. Too cumbersome, specially when you think that the whole point is to reach those places where people have difficulty in getting credit cards...

I know, I know. It's just a thought; it'll never be implemented.

business people will not even like RUMORS of similar tools floating.
draws them off.
cannot help it, it's understandable

seemingly it's time for an exodus into Blue Mars now, better graphics and more reliable business opportunities. SL platform can still life on as OpenSims for the nostalgic people

oh, some are mouthing this in a more drastic way ->
"Third party viewers have GOT to go. They are lawless, they are destructive. They do not solve bugs and make things better as everyone claims. It's just bullshit, over and over again, the Big Lie, and I'm tired of it."

Luisa, you're far too optimistic about Blue Mars :) Have you already registered as a developer there? :) If not, try it out. Not everybody will be happy with the censorship that Blue Mars applies over content, and this will stifle a free market of digital content — only a very selected few will be allowed to participate in it, just like on all close-content virtual worlds out there. It's a completely different market. (And the comment on "better graphics" is still something we have to see once Blue Mars comes out of beta, and compare it with LL's new viewer, which will have meshes, shadows, and clickable HTML).

The problem with "third-party viewers have got to go" is technically impossible to implement. That's the sad story behind it. It's like saying that "Firefox users should not be allowed to connect to the Web" — there is no way to "detect" that a user is using Firefox or Internet Explorer when they browse the Web. Right now, the only distinguishing feature between a "third-party viewer" and LL's wide range of viewers (they have several...) is just a string in the code saying so. A string that any child can change to say what they want. I had made a few suggestions on how to limit that, but there is no technical solution to make it 100% proof against tampering. No, the solution doesn't lie on forbidding people to connect to Second Life, but by restricting what they can do once they're logged in.

Worse: Blue Mars uses an existing game engine for which there are already mesh and texture rippers available. The only reason there isn't a Blue Mars copybot isn't some inherent advantage to the architecture that supports security (because it doesn't have anything unusual in that regard as current video cards don't support security) but a lack of interest in customizing the rippers for ease of use while there is no content "worth" copying.

Excellent point, John! Oh yes, as soon as there is content worth copying in Blue Mars, I'm sure there will be a lot of people copying it. Perhaps the difference in Blue Mars is that they might copy it (specially if this content becomes valuable enough to be worth the effort) but not be able to sell it (because Avatar Reality screens all uploaded content and doesn't allow everybody to become a content developer).

Thus the suggestion to do something similar in SL.

Blue Mars is a joke. It's the latest fart in the virtual world wind.

I wouldn't go that far :) I simply see it as "Sony Home for the PC", which is certainly a very interesting idea.

The difference is that Sony Home is Sony. Sony Playstation has millions of users all over the world. Sony has a huge amount of game content, and the resources to keep creating more.

I remain deeply skeptical that the third-party "city developers" are going to show up. We have nothing but their word that there are any AT ALL.

Blue Mars is at this point is little more than a prototype and a press release.

Ultimately you'd be right, but a recent comment by Avatar Reality's Community Manager [registration required] has just claimed:


Here are some projects underway or being planned, based on discussions with developers in-world and via email, forums, chat, etc:

Numerous themed cities, ranging from historic regions hundreds of years old, to cities set 1000 years in the future.
Several types of racing games.
Exhibits based on real life tombs, museums, historic cities.
Interactive art exhibits.
Various types of vehicles.
Clothing of all sorts.
Avatar skins.
Avatar hair.
Avatar shapes.
A.I. bots for shops, tour guides, FAQs, and more.
Houses, apartments, condominiums, hotels.
Themed environments designed to provide a unique experience or mood.
A building set on Phobos, one of the moons of Mars.
A building made from clouds.
An underwater building with a sea life attraction.
Numerous avatar animations and interactions.
Various local and international school projects.
Simulations and lessons that will bring together students from several nations.


Also, Glenn Sanders claims that "[...] There are many Blue Mars projects underway by independent developers, who are currently 99% individuals and small indie teams."

I don't know how many is "many". I signed up with my content development company to become a Blue Mars developer and all I got was access to their super-secret, restricted-access developer forum — which, not surprisingly, is made of 90% of SL residents (the rest being a mix of game developers and some Avatar Reality representatives). All seem to have been given access to the many tools shown on their developer Wiki. I probably did something wrong and never got a special code or link to be able to do the same.

So mmmh. I'm not "deeply skeptical" about Blue Mars; I think it'll compete with Multiverse on the same market: remotely hosting MMORPGs for small, independent companies. Does that affect Sony Home? No. Does it affect Second Life? Even less. Granted, I might be totally wrong, but I'm sure that it'll take a few years to get Blue Mars really rolling, and in "a few years" Second Life will have changed like ever before (hint: meshes, shadows, user-created client-side plugins using the llMediaPlugin API which will allow Flash-based HUDs to do whatever you need, and, of course, the first integrations with OpenSimulator-based third-party grids. Blue Mars will compete on the first technical features — and they have three solid arguments to win the race: vehicles, weapons, and coordinated animations — but cannot compete on the last one).

So I'd say I'm "conservatively open-minded" to see what will happen. So far, my impression is that Blue Mars is really just a Multiverse/VastPark competitor, which possibly benefitted from better hype, and launched an open beta generating high expectations to the end-users, while they're really targetting developers.

Maybe they'll find out that attracting developers is not so easy as they think; the many OpenSim grids have the same problem :)

Gwyn - thanks for one of the more coherent discussions on this topic. I agree wholeheartedly with the solution of only allowing verified accounts to be able to sell items. Frankly, I think this has been a long time coming. I'm still deciding how I feel about the Linden preferred solution (an official Content Seller designation - totally voluntary.) I sympathize with the desire to encourage new content creators just starting out, but this is one of those areas where the social contract has to fall in favor of regulation at the loss of a few freedoms. Every bad experience a consumer has in SL reflects back on every content seller. Poor customer service, products that fail to perform as advertised, bad documentation, rotten attitudes, content theft...every time a consumer meets up with one of those, it dampens their enthusiasm for additional purchases in the marketplace.

It will never be possible to shut down every content thief in SL, but if we can keep them from profiting it will be enough. I also agree with Hiro that it would be impractical and useless to prevent transfers from unverified accounts. When I was still a newb I managed to get a copy of a bunch of helpful notecards somewhere in my early days and I shared the heck out of those with other newbs trying to learn the in's and out's of SL. It would have been a shame not to be able to share knowledge like that.

At the end of the day, you gotta follow the money. Shut off the money spigot and the problem becomes manageable.

I'm also curious to see how much of an impact LL's "official Content Seller" programme works out. Maybe it's a far easier solution that will work, without limiting anyone's abilities to do whatever they please in SL.

Still, I'm a bit skeptic about human nature — people will cheat if there is no incentive against cheating. Not all people — we humans are strangely more ethical and law-abiding than we think, according to some statistics — but definitely enough to spoil the fun for all of us. Since there is no way to "punish" the culprits, the only solution, IMHO, is to limit their ability to do us harm... and that's within LL's powers.

Rather..interesting idea.
Which could work without too much of problems.IF LL wants it.
at least while 'verified' is considered PIOF and not Aristotle verification.
another option will that if avatar is registered via LL's RegAPI (and many bussiness customers are like so) they can be considered verified if RegAPI user(which ARE heavily verified) says so(if they do something wrong - all questions are to RegAPI user...)

p.s.Of course this model can be exploited(there are ways around this scheme,but difficult ones) or just that if content creator got RL information which shows Country:Antigua (google on their copyright issues with USA and WTO decision) but still, I'm in favor of this idea...

LL now considers validation to be possible by simply buying L$ from the LindeX. Whatever payment method you use is enough to get validated (ie. they place the burden of validation on credit card companies and/or PayPal). If you have no way to validate yourself with a credit card or PayPal, you have the option to try Aristotle verification. If all else fails, you can send LL a fax with your ID :)

Validation via credit card and/or PayPal has a huge advantage for Linden Lab. Of course you can steal a credit card and use it to create avatars; but that makes it a major credit card fraud and can be dealt with by RL police all over the world, while "breaking ToS" is not really a crime and can only be dealt with by permabanning... which is, as we all know, not really a solution (pirates can easily create alts from different places and thus avoid permabanning pretty easily).

The disadvantage, as many have pointed out here, is that there is not a single way to guarantee that all legitimate residents wishing to get validated are actually able to do so. A secondary disadvantage is that some people simply do not want LL to have access to any of their RL data, but still wish to enjoy the vibrant Second Life economy, and participate in it as content creators. These cases are quite hard to deal with under the suggested approach, and I'm at a loss on what to do about them.

See above for some thoughts on "local" validation through RegAPI. I think that might work, too — shifting the burden of validation to other, local/regional organisations who might have alternative methods of dealing with validation.

For those worried about their alts not being able to build and give the product back to the selling avatar; you can always give them edit permission, they probably already have this, and just drop a full perm prim for them to work with. When they are done building, you can just take the build. As for scripts, well they copy back to your computer very easily and you probably alerady keep copies of them anyway.

... so long as that very same trick doesn't work the other way round :)

But yes, of course you're right. In a sense, some residents would vouch for others, which is also a way of "validation".

Good thought that - a simple change to TOS is probably far easier for LL to swallow than any kind of technical solution. So automatically make avatars registered via the Reg API "verified", and then you have a suitable audit or control.

I'd love to think that these ideas are already being kicked around at the labs.

Well, let's "make it so" :)

What's the point of allowing people to signup unverified and not be able to transfer content? If you're going to pull something that harsh then make them verify before signing up.

How would a class work this way Gwyn? How would they submit items back to the tutor or their fellow students?

"Even if you did a copy of the CD to have the original on your stereo at home and the copy on your car’s CD player, this would not be very serious. In general, making copies for your personal use is relatively legitimate and ethically acceptable, even though I’ve seen lawyers claim otherwise."

Actually, this (making personal-use copies) is not only entirely legal in the United States, it is a legal *right* and clearly documented in the U.S. Copyright laws. A "tax" is even paid on all blank cassettes (I know - who buys those anymore?) and blank CDs and DVDs to cover this. Which is all part of the fight against DRM and it's limitations.

"Things start to get more serious if you borrow a music CD from a friend and copy it to your iPod. That is already a violation — since from the perspective of the CD’s authors, they have licensed it for personal use only, and now two persons are listening to the same music, but only one paid for it."

This also is fully legal in the United States. However, the *key* is that it must be an actual acquaintance to you - cannot just be some stranger on the street. It absolutely becomes illegal in the United States when, as you mention, it is posted on the internet where anyone you *don't* know can download it.

For example, it is not illegal to *download* music, it is illegal to *share* music via the internet where the *public at large* can take it.

Now, I point this out because it does relate to SL content and the willyt-nilly taking of it as far as some attitudes might be concerned. U.S. Americans have been raised for a couple generations knowing it is legal to make a copy for one's self and friends. It is simply taken for granted and no one really thinks much about it. It's just a right that is 'there'.

Unfortunately, this mentality has spread to 'sharing with anyone' via the internet. Which, of course, extends and lends itself to within Second Life, as SL is really just an "extension of the internet".

As for your solutions to the problem - limiting "unvalidated" accounts: I agree - it would be a wonderful solution. But technologically would require a massive amount of work I suspect, not to mention a load on the servers as they constantly check assets against account type (and not even type, but rather status as to 'authenticated' or not.)

I also very strongly concur that the problem isn't the copying, but rather the redistribution. After all, I know you remember the arguments since back in 2006 (and certainly much earlier) about a way to "back-up" our creations to our own hard disk drives and not rely on the grid asset system.

Do we want our cake and to eat it, too?

The features of the Neillife Viewer, Streetlife viewer and others are the same as those found in the Meerkat viewer. Yet no one is wreaking panic havoc over that one. The simple truth is there are useful features everywhere that can be abused. The question, as was argued in the Sony Betamax versus MPAA suit: does the feature pose significant legal benefit versus abuse?

That's not for me to decide on this issue.

The issues at hand comes down each creator's own priorities in their "Second Lives": paranoia versus dealing with the fact that it exists, hope you aren't stung and simply try to adapt. That's my personal take on it. Don't get me wrong, I know it is devastating to discover you've been copybotted - been there, done that, witnessed the pain myself.

But if we live our lives in fear of that earthquake that *might* sink our homes some day, will we ever be at peace and enjoy what we have now?

It's nice that many creators are able to raise enough money to allow SL to "pay for itself". But as for anyone who proclaims to make a "living" from their earnings in Second Life (the usual rebuttal to my arguments) - they are a fool and an ignorant one at that. They would do well to evaluate their 'business plan' and options with regard to something so important as livelihood (and even supplementing such) and not put all their "eggs" into a single basket - especially one they have no control over (relying entirely on a third party company that not only doesn't promise to exchange 'tokens' for legal tender, but actually specifies in their TOS that they will *not* do so - hence they do so now at their own whim and circumstance.)

The problem is that there is no way to "plug" the "hole". Your suggestions are noble. But what about the Open Simulator project? Or TribalNet? All the rest? We can ask the little boy to stand there with his finger in the hole of the dike and hope and pray and worry all day long or we can b proactive and prepare to waterproof ourselves as best we can and try to work together to keep each other 'dry.'

At least, that's the way I see it.

So off topic, but I saw this beautiful girl image next to your name in a posting on Prad's site.... Sort of like Britney, but classy.

Do you have that any larger?

Ah sure, the picture is a wonderful photo taken by my friend Gwen Carillon, who's an awesome photographer, and although the picture is quite old, I still love it!!

I am also new to the second life initially when i saw it's layout & user interface i became very happy but after reading your post about the security i am feeling very scared of the secondlife!

Karamjit, Second Life is like democracy with the freedom of expression: it's better to know everything that can go bad, fully knowing your risks and what can happen, and also knowing that these things are incredibly rare and unlikely to happen — than "being in the dark" and having no clue of what's going on, which is what happens on, well, almost all applications out there...

Hi!

Congratulations! Your readers have submitted and voted for your blog at The Daily Reviewer. We compiled an exclusive list of the Top 100 virtual worlds Blogs, and we are glad to let you know that your blog was included! You can see it at http://thedailyreviewer.com/top/virtual-worlds/3

You can claim your Top 100 Blogs Award here : http://thedailyreviewer.com/pages/badges/virtua...

P.S. This is a one-time notice to let you know your blog was included in one of our Top 100 Blog categories. You might get notices if you are listed in two or more categories.

P.P.S. If for some reason you want your blog removed from our list, just send an email to angelina@thedailyreviewer.com with the subject line "REMOVE" and the link to your blog in the body of the message.

Cheers!

Angelina Mizaki
Selection Committee President
The Daily Reviewer
http://thedailyreviewer.com

I have yet to talk to anyone who feels stealing the work of others is moral. The problem is finding out the actual scale of the problem and putting in place a system that is commensurate to that. Locking out unverified users and ID checks to me is for a problem about six times the scale of swine flu and I am not sure we are there.

I know this is water compared to the more solid ideas, but maybe as a first step something like E Bay does. If I don't see a good history, feedback, and people saying they were pleased, I don't buy.

Second, maybe a higher tech option like product activation. No doubt they would copy that as well but there has to be a way to lock items to an owner using a certain authorization system Linden would maintain. This part is going to annoy, but I would like to see it go both ways. If you see your product in the hands of someone illegitimately, you should be able to disable it (or pop a big box over their head making it less useful) at least until it's clear it's legit.

One thing I would like to see is a way to ban someone and mean it. Maybe there should be more needed to open an account.

Lastly, if I steal a can of soup from the store, they will call the police and they will arrest me. Why is a ban the only extreme solution here?

Well, we did have a rating system in the early days of Second Life; it was so heavily gamed that Linden Lab got rid of it. But sure, an eBay-style thing, with a dispute resolution system, would be great to have! Also remember that eBay + PayPal do a much more thorough validation than Linden Lab does: for instance, if you're completely unvalidated, you're restricted in the amount of money you receive. That would also be a possible solution: make unvalidated avatars unable to receive more than X L$ per month or so. But of course the solution then would be to have different alts and run several shops, rotating owners... which wouldn't work.

The "technical" idea you suggest is what Tateru Nino says that will make someone utterly rich if they can manage to develop it, because, really, no copy-prevention system will work. It's like trying to invent a perpetuum mobile. Clicking on content and flagging it as possible copies would be an idea, but then again, you can do that using Abuse Reports today: the problem, as you said, is that Linden Lab is too slow to act on it, and their bans rarely "stick".

And finally, if you're able to afford it, you can always pay lawyers to file a lawsuit on someone who copied your content. That option is always there, and it will be up to Linden Lab in court to reveal the resident's data. But, of course, most people cannot afford it... specially if we're talking about international lawsuits.

Well Gwen, as you know this is a subject my team and I have worked very hard on for our OpenSim grid. I'll not give out the name of it because I don't wish to be accused of marketing through this blog, but suffice it to say its resonating with content creators. While we can't promise 100% protection - NO ONE CAN - out system does take a holistic approach to grid security that so far has been very successful. Let me explain, but first a little disclaimer to maybe cut off a lot of unnecessary flaming and teeth nashing. Our grid systems don't appeal to everyone and that's fine. Its not our intent to be the grid for everyone. We are a very business minded grid and we feel trying to please everyone in a single grid is just not a realistic goal. So, for those who would feel this is too restrictive and would like to argue that point, its fine. You have every right to express you opinions. Just know its not going to change our direction and remember you have many many other OpenSim choices besides our grid to choose from besides ours.

Having said that little disclaimer, here is how we've addressed content theft on our grid:

1.) Registrations of FREE FOREVER accounts with the use of our client get you access to the General Population sections of the grid, and you can chat, travel and even shop to customize your avatar, but you'll not be able to own land, rez prims. build or script.
Why? We know this is the number one preferred means of hacking, spamming, scamming and
lagging on any grid and we feel our paying customers deserve to be our main focus on them
rather than handling griefers and such.

****For you shop-a-holics thinking how can you unpack your purchases if you can't rez or own land
we simply instruct them to attach the box to their avatar and unpack it directly from there.
If you're doing the V-8 head slap, TRUST ME! I was there too, thinking of all the years I went
running back home to try on stuff. :P And go figure that a very STRAIGHT male avatar GUY
thought this up!!! OK ... I digress!!!

2.a) All paid memberships are verified via PayPal accounts, providing reasonable verification on age and identity in one step without being invasive or demanding your national ID or driver's license.
Why? While some kids might brave sneaking mom's CC out of her purse to get an account,
we're betting they'll be much less likely to go rummaging through their parents
banking statements to verify a bogus PayPal account.

2.b) All membership are created under one PayPal verified Passport Account that services and controls up to 5 avatars. This means their Passport account is linked to all aspects of their grid experience, such as land ownership, selling privileges, mature area access, and the ability to see and purchase mature content. If one of those avatars messes up it has the potential to affect all the other avatars if they are suspended or even banned. Yes, a new PayPal account can be created, but that's not an unlimited option and would put anyone using fraudulent information to establishing those accounts in real jeopardy of being prosecuted on a criminal level.

3.) We sort all other clients than our own to an isolated region, blocking potentially malicious clients from accessing the rest of our grid.
Why? If they can't see it they can't copy it. Some jump to the conclusion that we are a closed
network, but that could not be further from the truth. If you'd like to hear more on that score
you'll have to be clever and figure out who we are. Simply would take too long here and digress
from this conversation, but suffice it to say we've made cross grip TPing and selling a reality.

4.) We support a community driven Mediation Panel of 3 to 5 randomly selected registered paying users to hear DMCA cases and even other grid disputes. They are responsible for making any recommendations to what should happen. They also have the option of turning to a real world legal agent to advise if necessary.

5.) If one or both parties are not happy with the recommendations they have the option to take it to court, or go through Arbitration with our real world judge residing, whose opinions are recognized by most courts world wide - all for a very affordable fee of $100-$300 per person. If one of the parties refuses to pay the fee than the other party can foot the bill, but per our TOS they are required to participate or settle on the Mediation Panel's resolution, or relinquish their membership account and be suspended or even banned from the grid.

6.) We educate through the mediation system by allowing the residents of our grid to witness the proceedings. Everything is out in the open as a means to keep it honest and to educate the community on the difference between mediated agreements and how the letter of the law applies to a given situation. Sometimes what is right isn't always legally possible to make right.

To all the nay sayers who will cry out that any hole can be punched into our security, yeah you might be right, but we kinda figure its like any software development, in that its an on going committment. Rarely is software made and then touched or upgraded again. Why should the security of a grid be any different?

To all those who would argue that there are other non-client ways to rip content, we'd have to agree, But seeing our content creators will get meticulous records of purchases made by verified avatars- not only of those on our grids, but those they sold to other grids - it will be very easy to point out items that have been ripped and found on grids not authorized to have their content there. Are our systems perfect? No, but we feel they create enough road blocks for those who would fain ignorance of what they are doing to think twice.

Why are we being so diligent? Because its the right thing to do. Both owners of this company are experts in their field, one being a 14+ year vetran of the 3D Web, and the other being an IP attorney out of Washington, DC. So yeah, we take this stuff seriously.

Can we promise copybot or interface copy tools will never gain access to our grid? No. NO ONE can promise that. But we feel that is not reason to give up or not even try. If we only match real world security success of 70-90% that's a huge improvement. And we still believe that if you give people enough reasons to pause and think of what they are doing, the majority will make the right choice.

Ultimately though, its time people realize that the theft of content creation ISN'T PART OF SOME 'GAME' OR A 'GAME CHEAT'. Its a real and legally prosecutable offense, both civilly and criminally. But I'd much rather they look at the many artist who make these great assets as real people who pay their bills, keep a roof over their heads, and take great pride and joy in providing us with some of the best content the world has seen to date. Isn't it time we respected their hard work and stopped pretending its JUST a game?

*sigh* And once again I misspell your name Gwyn. Just blame it on my stoopid dyslexic fingers, ok? *bangs head on desk a few times and looks up apologetically*

Wow Tessa, thanks so much for that information! I see a lot of thought has been put on SpotOn3D's safeguards — really, what you're doing is pretty much what Linden Lab is supposed to have been doing all the time. It's actually ironic: you're pretty much implementing something that eBay has done (or even going a bit beyond it, since the mediation and arbitration panels are done by real people and not automated systems, and the arbitration is done by a real judge, and every proceeding is open to the public to listen and watch), and eBay's founder was one of the major investors in Linden Lab — one wonders why he never insisted that Second Life ran a similar system!

Oh yes, allowing unvalidated avatars to have all the fun but limit them in the ability to sell stolen content is the way to go! I'm sure that the harder it is for them to sell the content, the less stolen content is available: after all, opportunity makes the thief, as the old saying goes.

Awesome work. Thanks for posting this!

Exactly Gwyn. Lots of folks think its unfair, the whole restrictions on the FREE FOREVER accounts, but we feel we need to pay more attention to to folks that finance this than those who would just mooch off the paying members. That never seemed right to be and I think is one of the reasons so many users go through experience now in Sl as if they were game levels, without any heart or soul to the whole thing. I just think its time we get more real and set things up to promote the values we old timers started out with and did ... well just because we cared about each other .... really. Color me warm an fuzzy - I never claimed to be like regular company owner! LOL

OHHH and thanks for the plug Gwyn! I'm still looking for a dependable honest .. err cheap! Mac coder to work with us on our client!!! Shameless advertisement for help. Then maybe I can get you to come visit us!

((hugs))) Tessa *-)

I've been reading the new 3rd Party Viewer Policy discussion today and posting about the problem that nothing can keep content from being copied. That viewer-writers will need to be validated seems like a good idea. That can stop a bogus viewer from capturing my ID and sending it off. But it does nothing to stop the pirates from changing a viewer for theft.

The solution you propose does the best job of controlling content 'resell' in SL. But, it does nothing to prevent pirates from moving things from SL to OpenLife or the OSGrid.

The hidden watermarks placed in images by various Photoshop plugins might help if the SL upload process did not squish them out (not sure if it completely obliterates it or not).

There is just no good digital solution.

This is a remarkable idea, but I do have one concern: in my experience with network security, identity and credit card theft is far easier to accomplish and get away with than you may realize. IRC and *chan trolls are quite capable of this (ED, for example). I confidently state this because I was almost pulled into that underground world.

Oh yes, you're right! However, the point is that identity and credit card theft are rather serious crimes and hotly pursued; "content theft" is not, and in most jurisdictions, it requires a lawsuit against the person duplicating content to get them to pay a fine or something (but hardly getting them into jail!).

By tying content theft (a misdemeanour) to identity/credit card theft (a major crime), it'll push the "casual pirate" into seriously committing crimes. Now, not every pirate has a criminal mind. Most just do it because you're hardly able to get caught, and even if you do, what happens? A few items get deleted, you get suspended for a few hours (at most) or days (in extreme cases) and can just continue your efforts with a different alt. So there is no serious deterrent, it's so easy to do and with so little punishment that piracy is almost encouraged...

Turning it into a major crime would only limit content piracy to criminals. A few do exist in SL, of course. They're willing to take the risks. But a regular content pirate? No, it's not worth spending some years in jail for credit card fraud just for making a handful of illegitimate L$...

While identity theft is technically a more serious crime, that only applies if you're prosecuted in the United States. In my experience, it's pursued like a misdemeanor. Going back to my previous example, there are plenty of "full disclosures" and "innocent pizza orders" on ED all the time, and very little to nothing comes of it. The FBI knows what is going on, but there is little monetary harm, so they don't generally act, despite the fact that stolen credit cards are used. Hopefully that monetary threshold may work to the advantage of SL vendors?

I do see the value in limiting opportunistic copyright infringement this way, especially because the copybot-paranoia will subside. My larger concern is the impact the increase of ID theft will have on this, the internet, and society in general. :\